Welcome to the Cyber C-Suite
Conflicting information from the top
I was recently speaking with an executive client about an ongoing and persistent challenge that was disrupting his Board meetings. Members were finding it increasingly frustrating that, in their view, the dysfunctional structure of their Board was resulting in uninformed decision-making, conflict and ultimately putting the organisation at risk.
The long-standing CTO and recently-appointed CISO were providing conflicting information and cyber security advice – and the conflict was creating unanticipated negative ripples throughout the organisation.
The CTO was repeatedly questioning the technical and security credibility of the CISO, who had been recruited by the COO. There was also a CIO, but he rarely attended the mandatory Board meetings. The CIO’s absence from such meetings was never questioned. According to my client, this was because members weren’t entirely sure what the CIO was responsible for. Meanwhile, other members of the Board had raised concerns around the new CISO’s apparent lack of understanding and interest in the organisation’s strategic objectives and values.
It was interesting, and sometimes entertaining, listening to my client describing the ‘gotchas’ being exchanged, as the two leaders tried to outsmart each other. Unfortunately, there are no winners of these ‘stress-testing’ contests. The heated discussions weren’t confined to the confidential walls of the Board room, they were spilling out into the canteen and designated smoking areas in full view of employees, visitors, clients, suppliers and partners. As a result, the conflict was becoming the focus of office gossip throughout the organisation, with loyal staff members picking sides and rumours of some placing bets on their favourite to win.
Questioning the capabilities
Leaders in such scenarios are inevitably labelled by both peers and subordinates as unprofessional, regardless of which aspects of the arguments they’re supporting. As well as the inevitable loss of respect for both parties, it also raises the question of why the collective Board hasn’t already nipped the issue in the bud. When one leader openly and publicly questions another leader’s required specialist capabilities (in this case the CISO) others are likely to quietly question said CISO’s capabilities. Maybe that was the original intent. Regardless of motive or justification, this level of internal conflict should always be addressed before it impacts the success of the organisation.
As we analysed this particular situation, we focused on three key questions:
- Roles and Responsibilities: Is there any credible truth in the CTO’s claims regarding the capabilities of the new CISO, or do they just feel threatened? Today’s CISO role is arguably relatively new but the mandatory requirement to protect information assets and devices is definitely not new. It’s always been the responsibility of someone in the organisation and ultimately, the CEO is accountable, even if they’ve delegated responsibility down the reporting chain.
- Skills and Capabilities: Does the COO (or any Board member) really understand what an effective and credible CISO should be capable of? Or did they just create a wish list of pick’n’mix tick-box skills and badges, copied from various vacancies posted on one of the many questionable recruitment sites? Is the CISO the target scapegoat for the Board?
- Governance: Who has the authority, emotional intelligence, energy and negotiating skills to effectively and quickly resolve the escalating situation?
Unfortunately, egos and emotional intelligence can be a volatile cocktail and when you’re so far up the corporate ladder, and there really aren’t enough people around with the skills, energy and authority to effectively set the derailed train ‘back on track’.
The potential overlap between the CIO, CTO and CISO is a challenge for many organisations today. Internal governance issues can also negatively impact relationships with clients, suppliers and partners when they need to communicate with their counterparts. Additionally, each Chief is directly or indirectly responsible for information and cyber security, even if they aren’t aware of it. For example, the COO and HR Director need to ensure employment processes and contracts for starters and leavers address personnel security controls, aligning with the CTO/CIO/CISO to ensure user accounts are managed effectively. The CMO also needs to understand GDPR, including required technical and organizational controls. The more Chiefs you have in your C-Suite, the more overlap you’ll encounter in cyber security responsibilities and accountability.
Other Chiefs are available!
To add to the confusion and complexity, depending on the nature of your organization you may also have a Chief Compliance Officer, a Chief Security Officer, a Chief Digital Officer, a Chief Risk Officer, a Chief Data Officer, a Chief Analytics Officer, a Chief Experience Officer or a Chief Medical Officer.
Governance – it’s not an Optional Extra
Finally, it’s worth remembering that not all internal governance structures are the same. Not all roles and responsibilities are the same across the supply chain and specialist cyber security responsibilities in leadership roles are frequently hiding in plain sight, invisibly owned by blissfully unaware executives, heading for their 15 minutes of fame...
In case you’re on the UK government’s GCloud framework and thought cyber security governance was an optional extra, take a look at this clause in the framework.
A clearly identified, and named board representative (or a person with the direct delegated authority) who is responsible for the security of the cloud service.
This is typically someone with the title:
- 'Chief Security Officer' [CSO]
- 'Chief Information Officer' [CIO] or
- 'Chief Technical Officer' [CTO]'
It’s always worth reviewing your contractual security requirements to check you’re not operating in breach of legislation, regulation or contractual requirements.
Summary
Someone in your organisation is – and always has been - accountable for cyber security. If you don’t know who it is, it might be you! There are numerous variations of Chiefs found in the C-suite today, including the more traditional roles of CEO, CFO and COO as well as sector-specific roles such as Chief Medical Officer.
Cyber security is the responsibility of everyone in the organisation so it’s vital that the Board clarifies and clearly communicates the roles and responsibilities of everyone in the organisation including the Board, staff members, suppliers and partners.
Security governance isn’t an optional extra. If it’s officially your responsibility, it’s better to find out before there’s a high-profile career-destroying incident, rather than after…
About the author
Samantha Sanderson BSc (Hons) LCCP MIET is one of the few cyber security lead professionals certified by the UK's National Cyber Security Centre (NCSC). She started her specialist infosec career as a Research Scientist for the UK's Defence Evaluation and Research Agency (DERA) over 20 years ago and has over 35 years’ experience of working, studying, volunteering and playing in science, engineering and technology. Sam is the author of her company’s online GCHQ Certified Training course - Introduction to Cyber Security Leadership and Governance, designed for existing and aspiring leaders in the information and cyber security sector. She is also the founder of South East Cyber and runs free training Workshops for local businesses with her daughter.
